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Supercharging third-party libraries 
with memory-mapped files 



by Abdur Chowdhur 

Efficiency in terms of time to market 
and speed of processing is the 
name of the game today. Develop- 
ers are constantly required to develop 
new products faster and more efficiently. 
To facilitate that goal, many developers 
have come to rely on third-party libraries. 
These libraries allow developers to lever- 
age months and even years of develop- 
ment from specialized libraries and 
incorporate those features into their prod- 
ucts. While this allows products to be de- 
veloped faster, those products don't 
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Figure A: Using a memory-mapped file architecture speeds 
up third-party libraries. 



always run as efficiently as they would 
have if the developers had been able to 
customize the interfaces and features to 
their application. 

In this article, we'll show you how to 
speed up third-party libraries with file in- 
terfaces by using memory-mapped files 
using the architecture shown in Figure A. 
For more information, see the Solaris 
mmap man pages. A file-interfaced library 
is a library that takes a filename from the 
application, opens the file, does some 
processing, and returns a result. 



A potential 
performance problem 

The problem with file-inter- 
faced libraries is that data 
must be written from the ap- 
plication's memory buffer to a 
file, and the library must then 
open the file and read the data 
into memory again for pro- 
cessing. If this is done only 
once, then the overhead may 
not adversely affect the appli- 
cation's performance. Howev- 
er, if the file processing is done 
repetitively, then performance 
can be dramatically hurt. 

A better alternative is to 
pass a memory buffer to the li- 
brary and have the processing 
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done directly in the memory without the overhead 
of copying the data multiple times and involving 
the file system. Since many of these libraries don't 
provide a memory /buffer-passing interface, this 
option may not be viable. 

Another option would be to modify the li- 
braries, but availability of source code or mainte- 
nance issues provide additional problems to 
that solution. Therefore, we need a solution that 
doesn't require modifying our third-party libraries 
and still overcomes the performance problems. 

Before showing our solution we'll explain the 
concept of memory-mapped files and how that 
paradigm can be used for this type of problem. 
Then we'll present some example code showing 
both approaches and timing results. 

How does memory mapping work? 

Memory -mapped I/O maps a file from the file 
system to the memory system. This allows you to 
directly manipulate a buffer rather than using 
read and write calls to access or modify data. So, 
rather than read /write bytes, you can obtain ac- 
cess via buff[x]=12. Memory-mapping files have 
been used for many years with virtual memory 
systems. BSD UNIX has had various flavors of 
mmap since 1981, and now it's supported by both 
SVR4- and BSD-based systems (see Gingell, R. A., 
Moran, J. P., Sannon, W. A. "Virtual Memory Ar- 
chitecture in SunOS," Proceedings of the 1987 
Summer USENIX Conference). 

The high-level concept is a file that's just a list 
of blocks of data. By mapping those blocks to the 
virtual memory system, access from your applica- 
tion is just like any other memory access. In reali- 
ty, when you attempt to access to that block, a 
page fault occurs, which tells the virtual memory 
system to load the page into memory and redirect 
any access to the new physical memory location. 
The same process is used for mapping executables 
files and virtual memory. 

File interface solution 

While mapping a file to memory may be a good 
idea for the operating system, when reading data 
from files, it still requires your third-party 
libraries to be modified. We've determined this 
isn't possible. 

To circumvent modifying our libraries, we'll 
map our buffers to files. We'll lock those files into 
physical memory, and the library will be passed a 
filename to process. When the library attempts to 
open and read the file from the file system, those 
reads will be redirected to physical pages of mem- 
ory. At least one copy process is eliminated, and 
file system reads are eliminated and replaced by 



memory copies. For our application to do this, we 
must first modify our code. 

A typical application allocates a buffer of mem- 
ory with a call to ma 1 1 oc. The system, in turn, allo- 
cates memory and returns a pointer to the new 
memory. The application modifies that buffer 
with the data for the library. That data is then 
written out to a temporary file, and the library is 
called to process it. 

While this works fine for buffer interfaces, it 
becomes a problem when dealing with file inter- 
faces. Another approach is to create a temporary 
file and seek a given number of bytes into the file 
(the amount that would have been allocated with 
ma Hoc). Then, write one byte. That new temporary 
file is then memory mapped. The mmap call returns 
a memory pointer just as ma Hoc would have. 

Note that new memory can be locked into 
physical memory via the mlock call if you have 
super user privileges. However, we don't recom- 
mend this, since many adverse performance is- 
sues are caused by locking memory and removing 
the paging system's ability to manage system re- 
sources. The returned memory buffer is filled 
with data, just as before. 

The library is now sent the name of the tempo- 
rary file to process. When the library attempts to 
read from the file, those reads are redirected to 
physical memory, and only memory copies are re- 
quired. When the library returns, the temporary 
file is simply deleted. 

A simple mmap example 

In our example, we'll show two different applica- 
tions. The first uses the file system to pass data 
to an example third-party library. The second 
does the same function, but utilizes a memory- 
mapped file. 

Using the file system to pass data 

Listing A is an example program that uses the file 
system to pass data to an example third-party li- 
brary. The program reads in a number of times to 
run the test and calls doWork. Next, doWork allocates 
a memory buffer with ma I [oc. Random data is then 
written to the buffer. 

To pass this data to our library, we need a tem- 
porary file, so we create one with f open. The data 
is written to the file with write, the temporary 
memory is freed, and the library is called with the 
temporary filename. Finally, the temporary file is 
deleted. This is the typical order of operations for 
most applications that are using third-party li- 
braries that only support the file interface. 

To implement our approach, it needs to be 
slightly modified. First, rather than using ma I loc to 
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Listing A: Using the file system approach 



#define TMPDIRFILE "/tmp/nomap.dat" 
#define TMPFILESIZE 647680 

#i nc lude <stdio.h> 
#i nc I ude <s t d I i b . h> 
#i nc lude <errno.h> 
#j nc lude <unistd.h> 
^include <sys/ types . h> 
(finclude <sy s/stat . h> 

#1 nc I ude "readii le.h" 

int doWork () 
I 

/• 

• Allocate a memory buffer. 

• Write data in the buffer. 

• Write data out to a file. 

• Call readFi le function. 

• Delete temp f i le. . . 
./ 

int x ; 
FILE .tmpjptr ; 
int ret_stat = 0 ; 
char »mem_buffer ; 

if((mem_buffer = (char.) malloc(TMPFILESIZE)) == NULL) 
I 

fprintf(stderr, "Error malloc: %d\n". errno ) ; 
return(-1 ); 

) 

/* ***•**«•••••••**••**•**«*••••••••/ 

/• Fill the buffer with dummy data >/ 
for (x = 0; x < TMPFILESIZE; x++) 
( 

memjuffertx] = (char) (x8&255) ; 

} 

/* ****»***•••••********»**••••**** */ 

/• Open the temp file... •/ 
tmpjptr = f open( TMPDIRFILE, V); 
if (tmpjptr == NULL) 
I 

fprintffstderr, "Can't open tmp file ==> %s: %d\n", 
^•TMPDIRFILE. errno ) ; 
return(-1 ); 



/• *«*••***••••••••••*•••••**•••*•••/ 

/• Wri te out data. . .•/ 

ret_stat = write (ftell(tmpjptr). memjuffer, TMPFILESIZE) ; 

if((ret_stat != TMPFILESIZE) !! (ret_stat<0)) 

I 

fprintf(stderr, "Error writing data==> %s: *d\n", 
^•TMPDIRFILE. errno ) ; 
return(-1 ); 

1 

else 
{ 

ret_stat = O ; 



/• Free memory •/ 
free (memjuffer) ; 

/« Close temp file... «/ 
fclose(tmpjptr) ; 

/• Read the temp f i le. . •/ 
readFi Le ( TMPDIRFILE ) ; 

/• Delete the temp f i le. . . •/ 
unlink( TMPDIRFILE); 

return (ret_stat) ; 



int main (int argc, char »»argv) 
{ 

int ret_stat = 0 ; 
int x = 0 ; 

for (x = 0; x < atoi(argvMl); ***) 
{ 

ret_stat = doWork ( ) ; 
if Tret_stat != O) 
( 

fprintf(stderr, "Error in doWord.\n" ) ; 
break ; 

) 

I 

return (ret_stat) ; 



create memory that will be written out to a tem- 
porary file, we use the mmap call to allocate a tem- 
porary memory-mapped file the same size that 
our ma Hoc would have returned. By removing the 
ma I loc, we remove at least one level of copy opera- 
tions, since the temporary memory doesn't need 
to be copied to the file system. 

Our example using 
memory mapped files 

Our mmap example program shown in Listing B on 
the next page is almost identical to our first pro- 



gram. We first read in the number of iterations to 
run the program. The doWork method is called. This 
time, instead of using ma I loc to create a temporary 
memory buffer, a temporary file is created with 
f open. This program uses I seek to set the number of 
bytes the file will contain. This can be considered 
equivalent to our malloc operation, but using the 
virtual memory manager to manage our process 
memory space. Next, the random data is written 
to the memory-mapped file, in the same manner 
that any memory object would be modified. The 
temporary file is closed and the readFi le library 
method is called, just as in the previous example. 
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Listing B: The memory-mapped file approach 



#define TMPDIRFILE "/tmp/nomap.dat" 
#define TMPFILESIZE 647680 

#i nc tude <stdio.h> 
#i nclude <stdlib.h> 
#j nclude <errno.h> 
#include <unistd.h> 
#1 nc L ude <sys/ types . h> 
#i nclude <sys/stat .h> 
#include <sys/mman.h> 
#i nc lude <icntl.h> 

include "readfi le.h" 

int doWork () 
1 

/. 

* Allocate a memory buffer. 

• Write data in the buffer. 

* Create dummy file. 

• Mmap data to file. 

• Lock memory. 

* Wri te data out to a file. 

• Call readFi le function. 

* Delete temp f i le. . . 
./ 

int id ; 
int x ; 

int ret_stat = 0 ; 

/• Create a memory ptr •/ 
char •mem_buffer ; 

/• Open the temp f i le. . . */ 
if ((fd = openf TMPDIRFILE, 

M)J?DWR!0_CREAT!0_TRUNC. S_IRUSR I S_I WUSR ) ) < 0) 
I 

fprintf(stderr, "Can't open tmp file ==> 

%d\n", TMPDIRFILE, errno ) ; 
return! -1 ); 

) 

/* Iseek the temp file to the desired size. */ 
if (Iseek ( fd, TMPFILESIZE-1 , SEEK SET ) < 0) 
I 

fprintf(stderr, "Can't seek to %d: 
*-%d\n". TMPFILESIZE, errno ) ; 
return! -1 ); 

} 

/• write one byte, to set the current file size *l 

if (writeffd, "", 1) !=1 ) 

( 

perror("Wri te error:"); 
return(-1 ); 



/* ********************************/ 

/* Memory map f i le. . . •/ 
if ((mem_buf fer = mmap((caddr_t )0, 
*»TMPF I LES I ZE , PROT_READ ! PROT_WR I TE , 
MAP_SHARED ! MAP_NORESERVE , fd, 0)) 
(caddr t)("-1)) 

{ 

perrorf "Error memory mapping file:"); 
exit(-l); 

} 

/• ******************* ************ t / 

I* Lock the memory, */ 
mlock{mem_buffer, TMPFILESIZE) ; 

/ * •••*•• ***************************/ 

I* Fill the buffer with dummy data */ 
for (x = 0; x < TMPFILESIZE; x«) 

{ 

mem_buffer[x] = (char) (X&&255) ; 

} 

/• Close temp file... •/ 
close(fd) ; 

/* Read the temp file.. •/ 
readFi le ( TMPDIRFILE ) ; 

I* Unmap the data from the file association*/ 
munlock(mem_buffer, TMPFILESIZE) ; 
munmap(mem_buf fer, TMPFILESIZE) ; 

/• Delete the temp f i le. . . */ 
un I i nk( TMPDIRFILE); 

return (ret_stat) ; 



int main (int argc, char ••argv) 
f 

int ret_stat = 0 ; 
int x = 0 ; 

/• Preform the test multiple times... »/ 
for (x = 0; x < atoi(argv[1 1); x++) 
[ 

ret_stat = doWork ( ) ; 
if (ret_stat != 0) 
{ 

f printf (stderr, "Error in doWork: %d\n", x ) ; 
break ; 

) 

) 

return (ret_stat) ; 
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Listing C: Sample method to read a file 



• Get a lite name, open file. 

• al locate memory for file 

• and read it to buffer. 



./ 



((include <stdio.h> 
#inctude <stdtib.h> 
#include <errno.h> 
#include <unistd.h> 
#include <sys/ types . h> 
((include <sys/stat .h> 
#include <sys/mman.h> 
#include <fcntl.h> 
#include "readf i le.h" 

int readFile ( char .fname ) 



{ 



FILE .fptr ; 

struct stat stat_buf ; 
int size_in_bytes ; 
int bytes_read ; 
char •mem_buffer = NULL ; 
char •mem_ptr = NULL ; 

/• Open the file for reading... 
fptr = fopen( fname, "r"); 
if (fptr == NULL) 
I 

fprintf (stderr, "Can't open tmp fit 
*»for read t ng==> %s: %d\n", fname, 
return(errno); 



./ 



/* Get f i le status. . . */ 
fstat(fileno(fptr), &stat_buf) ; 
size_in_bytes = stat_buf .st_size ; 

/. Get a buffer. . . •/ 

mem_buffer = (char.) malloc(size_in_bytes+1) ; 
mem_ptr = mem_buffer ; 

/• Read data. . . •/ 

for ( ; ; ) 

I 

bytes_read = read (fi leno(fptr), mem_ptr, size_in_bytes) 
if (((bytes_read<0)) U (errno==EINTR)) continue ; 
if ((bytes_read<G)) 



fprintf(stderr, "Error reading:%d\n", errno) ; 
break ; 



1 

if (bytes_read == size_in_bytes) break 
if (bytes_read == 0) break ; 
if (bytes_read < size_in_bytes) 
( 

mem_ptr ♦= bytes_read ; 
size_in_bytes -= bytes_read ; 

1 



} 

/« Free memory. . . •/ 
free (mem_buffer) ; 
/• Close temp f i le. . . 
f close( fptr ) ; 
return (0) ; 



After the file has been read, the memory is un- 
mapped and the temporary file is deleted. 

Running each example 

Listing C shows the sample program we used to 
run each of our examples. While the modification 
differences of the two programs aren't large, 
there's a paradigm shift in thinking about what's 
the most appropriate method for memory man- 
agement depending on the situation. 

Substantial improvement 

We ran each application through tests to check 
performance. Those programs are run using a test 
data set of 640 KB. The timing results are shown 



Table A: Performance comparison 
between our two example programs 



in Table A. As you 
can see, there's a 
substantial improve- 
ment in speed when 
using the memory- 
mapped file ap- 
proach. While your 
application and situ- 
ation may differ, 

having several implementation approaches helps 
find alternative solutions to bottleneck problems. 
By creating a temporary file and memory map- 
ping it to physical memory, we can use third- 
party libraries without the performance penalties 
that come from normal file-based interfaces. % 



Memory mapped 


File system 


Real 


0.063s2.690s 


User 


0.050s0.030s 


Sys 


0.010s0.070s 



Accessing a DOS formatted disk in Solaris 

Unlike a CD-ROM, a disk drive isn't polled automatically because the extra work would quickly ruin it. 
Using volume management, type vol check. This forces Solaris to poll the drive and you should see some- 
thing like this after typing moun t: 

/floppy/unnamedj loppy on /vol /dev/di sket teG/unnamed_f loppy read/write on Sun Nov 12 11:32:37 2000 

To safely eject the floppy, you should unmount the drive by using eject. You will get a confirmation message, 
and then it should be safe to remove the disk. 
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Securing BIND on Solaris 

by Rob Thomas 



The ubiquitous BIND (Berkeley Internet 
Name Domain) server is distributed with 
Solaris and provides name services to 
countless networks. However, the BIND server 
isn't without certain vulnerabilities, and is often a 
choice target for Internet vandals. These vandals 
utilize BIND vulnerabilities to gain root access to 
the host or to turn the host into a launching plat- 
form for DDOS attacks. An improper or insuffi- 
ciently robust BIND configuration can also leak 
information about the hosts and addressing with- 
in the intranet. In this article, we'll present a tem- 
plate for deploying a secure BIND configuration, 
thus mitigating some of the risk of running the 
BIND server. 

Secure the BIND configuration 

The following configuration presumes that the 
host network is connected to the Internet. Further, 
we assume that you have a working knowledge 
of BIND version 8. (We won't go into detail about 
the creation of zone files or general DNS configu- 
ration and maintenance.) We'll discuss how to 
supplement and protect an existing BIND config- 
uration. This is a split-brain NS model with a 
twist — the two sides of DNS are contained within 
completely distinct spaces. The files and address 
space are separate, thus providing a great deal of 
protection against an attack that targets one side 
of the DNS topology. 

Setup 

For our example, our internal network is 7.7.7/24, 
and our external network is 8.8.8/24. Our name 
server has an NIC in each subnet, with the inter- 
nal NIC as 7.7.7.1 and the external NIC as 8.8.8.1. 
The name server is often also the firewall, so the 
addressing scheme and dual NIC configuration 
likely fits many network topologies. 

Now, ensure that you have the latest version of 
the BIND. If you don't, you can obtain it by visit- 
ing the Internet Software Consortium BIND site at 
www.isc.org/products/BIND/. The compilation 
and installation of the BIND is well detailed at 
this site. 

Since two BIND daemons will be running on 
the host, you must create distinct UIDs and direc- 
tories. First, create two UIDs and GIDs, intnamed 
and extnamed. We'll use the intnamed user and 
group for our internal DNS, and use the ext- 
named user and group for our external DNS. 



Now, assign each a unique, non-zero UID and 
GID. We recommend using a shell that will allow 
no access, such as /bin /false or our own denial 
shell, nocando. The nocando denial shell, which 
includes detailed logging, can be found at 
www.enteract.com/~robt/TooIs. The home direc- 
tories for these accounts will be the directories we 
create in the next step. 

Next, create two directory structures to contain 
your configuration files. For example, use 
/var/ named /extnamed and /var/ named /int- 
named. In each directory, create a subdirectory 
named master for your master zones and slave for 
your slave zones, if such zones exist. 

Configure the zone files normally, and place 
them in the proper subdirectories. Remember to 
place the internal zone files in /var /named /int- 
named, and the external zone files in / var /named 
/ extnamed. Each subdirectory must also have a 
hint file and a named.conf file. Don't forget to cre- 
ate a loopback zone file for each subdirectory. You 
can find details on how to create hint and zone 
files in the August 2000 article "Configuring 
BIND 8" (www.elementkjournals.com/sun/s_sun 
/0008/sun0086.htm) by Don Kuenz. 

Let's now configure the two named configura- 
tion files, one for internal DNS and another for ex- 
ternal DNS. Pay close attention to the subtle 
differences between them. 

Configuring the external DNS— 
ext-named.conf 

The external DNS configuration file example 
shown in Listing A is built to service externally- 
based queries, recursively answer internally- 
based queries, and to mitigate many of the attacks 
commonly found on the Internet. If an attack does 
succeed in breaching or halting the externally 
named daemon, service on the internally named 
daemon for queries of internal names and ad- 
dresses is largely not effected. 

Configuring the internal DNS— 
int-named.conf 

The internal DNS configuration file is built to 
service queries from hosts on the internal net- 
works). It's also built to forward queries for ex- 
ternal hosts to the named daemon servicing the 
external side of the name server. Our example is 
shown in Listing B on page 8. 
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Listing A: The BIND configuration file for our external DNS 



II ®(*)ext-named.conf 12 NOV 2000 Rob Thomas robtecymru.com 
// Set up our ACLs 
act "xfer" { 

none; // Allow no transters. If we have other 
// name servers, place them here. 

}; 

acl "bogon" { 

// Filter out the bogon networks. These are networks listed 
// by I ANA as test: RFC1918. Multicast, experimental, etc. 
// It you see DNS queries or updates with a source address 
// within these networks, this is likely of malicious origin. 

0.0.0.0/8; 

1.0.0.0/8; 

2.0.0.0/8; 

169.254.0.0/16; 

192.0.2.0/24; 

10.0.0.0/8; 

172.16.0.0/12; 

192.168.0.0/16; 

224.0.0.0/3; 

240.O.0.O/4; 

}; 

// Set options for security 
options [ 

directory " /var /named /ex t-named"; 

pid-f i le " /var /named /ex t-named /ex t-named. pi d" ; 

statistics-f i le "/var /named/ex t-named /ex t-named .stats"; 

dump-f i le "/var/named/ext-named/ext-named.dump"; 

query-source address 8.8.8.1; 

listen-on { 8.8.8.1; }; 

// Listen on our external interface only. 

al low-transfer { 

// Zone tranfers limited to members of the "xfer" ACL. 
xfer; 

}: 

al low-query { 

// Accept all queries except from the bogons. 

any; 

}: 

blackhole { 

// Deny anything from the bogon networks as 



// detailed in the "bogon" ACL. 
bogon; 

}; 

}; 

// Link in our zones 
zone "." in { 

type hint; 

f i le "db. cache"; 

}; 

// Ensure that all attempts to query for BIND. TXT are logged 
zone "bind" chaos { 

type master; 

f i le "master/db.bind"; 

a I low-query { 

none; 
}; 

al low-transfer { 
none; 

}; 

); 

// Allow queries for the 127/8 network, but not zone transfers. 
// Every name server, both slave and master, will be a master 
// for this zone, 
zone "G.0.127. in-addr.arpa" in ( 
type master; 

fi le "master/db, 127.0.0"; 

al low-transfer { 
none; 

); 

); 

zone "ournetwork.net" in ( 
type master; 

file "master/db.ournetwork"; 

}; 

zone "8. 8. 8. in-addr.arpa" in { 
type master; 
f i le "master/db.8.8.8"; 
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Configuring the internal DNS— db.cache 

The hint file for the external DNS server should 
be the standard hint file. However, the hint file for 
the internal DNS server should be configured 
with only the names and addresses of your exter- 
nal DNS server(s). An example would be: 

; ®(#)db. cache for internal DNS 12 NOV 2000 
Rob Thomas robtecymru.com 
99999999 IN NS ns1.ournetwork.net. 



; hotwire the addresses 
ns1.ournetwork.net. IN A 8.8.8.1 



The bind zone file 

A common trick of the malicious is to query the 
name server for the version of BIND code it's run- 
ning. This allows the attacker to quickly select a 
version-specific vulnerability. To hide the version 
number, you could insert the version directive in 
the options section. However, this doesn't provide 
any logging of the attempt. Instead, we created a 
bind zone file, linked it into both our external and 
internal configuration, and now we receive notifi- 
cation of any attempts to query for version.bind. 
The code below shows us how: 

; ®(#)db.bind 12 NOV 2000 Rob Thomas robtecymru.com 
JTTL ID 
S0RIGIN bind. 



Listing B: The internal DNS configuration file for BIND 



II ®(#)int-named.conf 12 NOV 2000 
// Rob Thomas robtecymru.com 
// Set up our ACLs 



3d 



I; 



'xfer" { 

none; // Allow no transfers. If we have other 
// name servers, place them here. 



acl "trusted" { 

// Place our internal subnet in here so 

// that intranet clients may send DNS queries. 

7.7.7.0/24; 

localhost; 



acl 



bo gon " { 
0.0.0.0/8; 
1.0.0.0/8; 
2.0.6.0/8; 
169.254.0.0/16; 
192.0.2.0/24; 
10.0.0.0/8; 
172.16.0.0/12; 
192.168.0.0/16; 
224.0.0.0/3; 
240.0.0.0/4; 



options { 

directory "/var /named/in t-named"; 
pid-f i le "/var /named/ in t-named/ in t-named. pi d"; 
statistics-f i le "/var/named/int-named/int-named. stats"; 
dump-f i le "/var/named/int-named/int-named. dump"; 
listen-on { 7.7.7.1; }; 

forwarders { 8.8.8.1; 1; 

// Send all queries for external hosts to the external 
// named on this same host. The external named daemon 
// will recursively seek the answer to the internal query, 
// then return the answer. 

al low-transfer { 
xfer; 

}; 



a I low-query { 
trusted; 

1; 

blackhole { 
bogon; 

}; 

}; 

zone "." in { 
type hint; 
file "db.cache"; 

1: 

zone "bind" chaos ( 
type master; 
fi le "master/db. bind"; 

al low-query { 
none; 

}. 

al low-transfer { 

none; 

}; 

}; 

zone "0.9. 127 . i n-addr . arpa" in { 
type master; 

file "master/db. 127.0.0"; 

al low-transfer { 
none; 

); 

); 

zone "internal.ournetwork.com" in ( 
type master; 

file "master/db. internal"; 

1; 

zone "7.7.7. in-addr. arpa" in { 
type master; 
file "master/db. 7. 7. 7"; 

}; 



8 Inside Solaris 



9 CHAOS SOA localhost. root . locathost . ( 
2000081201 ; serial 
3H ; refresh 
1H ; retry 
1W ; expiry 
1D ) ; minimum 

CHAOS NS localhost. 

If anyone attempts to obtain the version num- 
ber, the logs will report the following: 

Nov 12 18:28:42 ns1 named! 17809] : unapproved 
^query from [X.X.X.X1 .33112 for "version. bind" 

Add this bit of text to your alert mechanism! 

Starting the two named daemons 

Once the configuration is complete, it's time to 
launch the two named daemons. Without chang- 
ing / etc/ init.d / inetsvc, if s wise to test the config- 
urations first. To start the external DNS service, 
type the following: 

/usr/local/sbin/named -u extnamed -c 
**• /var/ named /ex t named /ex t -named con f 

By typing the ps -fu extnamed command, you can 
verify that your externally named daemon is run- 
ning. To start your internal DNS service, type this: 

/usr/local/sbin/named -u intnamed -c 
**7var/named/intnamed/int-named.conf 

Again, typing ps -f u extnamed will verify that your 
internal name service is up and running. 

Once you have /etc/resolv.conf properly con- 
figured (use the internal address for the nameserv- 
er line), you should be able to launch queries. Test 



Listing C: Changes made to inetsvc for running our two 
named daemons 

# Start external DNS 

if [ -f /usr/local/sbin/named -a -f 
*»/var /named /ex tnamed/ext-named.conf 1; 
then 

echo "Starting external BIND server." 
/usr/local/sbin/named -u extnamed -c 
**7var /named /ex tnamed/ext-named.conf 

fi 

# Start internal DNS 

if [ -f /usr/local/sbin/named -a -f 
^/var/named/intnamed/int-named.conf ]; 
then 

echo "Starting internal BIND server." 
/usr/local/sbin/named -u intnamed -c 
*7var/named/intnamed/int-named.conf 

fi 



a few basic queries for both internal and external 
names and addresses. Then, test an intranet client 
to ensure that the forwarding is properly working. 
If you have secondary name servers, ensure that 
zone transfers are functional and complete. 

Once you've successfully completed all the test- 
ing, modify /etc/ initd/ inetsvc to start two named 
daemons at boot. Comment out the currently 
named lines and insert the code in Listing C. 

Increased security 

BIND is a necessary application on almost all net- 
works. However, it isn't without certain risks. By 
implementing a secure configuration and a sepa- 
ration of internal and external name services, you 
can increase the security and reliability of your 
name services and protected networks. ^ 



Ml 



Auditing Solaris security with CU 




by Boris Loza 

Did you know that you can inspect the secu- 
rity on an existing Solaris box by using the 
command line interface (CLI)? You don't 
have to install any expensive GUI-based applica- 
tions. In this article, we'll build a security check list 
using just native Solaris OS commands. Following 
this list step by step will help you to identify 
whether the system fits with your security policy. 

In this article we won't go into specifics about 
the need for particular checks. For a detailed ex- 



planation about Solaris security, please refer to 
Practical UNIX and Internet Security by Simson 
Garfinkel and Gene Spafford. Note that the pound 
sign (#) in front of a UNIX command indicates 
that this command should be executed by root. 

Gathering background information 

The first step is to get information about your 
system. You do this with the following uname 
command: 
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uname -a 

Using this output, we can tell the OS version 
(e.g., SunOS 5.6) the name of the hardware imple- 
mentation (e.g., sun4m spare SUNW, Ultra-2) and 
whether the latest kernel patch has been installed. 
Getting Generic_105181-22 for Solaris 2.6 SPARC 
indicates that you have the latest kernel patch (at 
the time this article was written). You can obtain 
the latest kernel patch from http://sunsolve 
.sun.com. 

You need to know the OS version and the hard- 
ware implementation for applying OS /hardware- 
specific security patches. To display the patches 
installed, type the following: 

shovrev -p 

This prints all patches currently installed on the 
system. You can compare the output with the list 
of recommended security patches available for 
this OS version. The latest recommended security 
patches are also available from Sunsolve. 

Checking account security 

The next step is to check your user accounts. First, 
display accounts without a password: 

#logins -p 

Then, delete such accounts immediately or set 
passwords for them. Now, you check accounts 
with duplicate UIDs: 

#logins -d 

You'll want to provide a different UID for all ac- 
counts on your system. 

Now you can display the date of the last pass- 
word change, minimum number of days required 
between password changes, and maximum num- 
ber of days the password is valid: 

#passwd -sa 

To alter any of these password attributes, edit the 
/etc/ default /passwd file. Now, display inconsis- 
tencies in the password file: 

/usr/sbin/pvck 

This tells you about accounts with no login direc- 
tory and the wrong shell. Next, display any incon- 
sistencies in the group file: 

/usr/sbi n/grpek 



Now you can check the accuracy of file attributes 
of installed files: 

/usr/sbi n/pkgchk -a 

You can fix any inconsistencies you find manu- 
ally. In addition, you may want to run the fix- 
modes utility found at ftp.fwi.uva.nl/pub/solaris 
/fix-modes.tar.gz. It will fix all mode 755 directo- 
ries and binaries and change the ownership to 
root where needed. Currently it supports Solaris 
2.2 to Solaris 8. 

Now you can display system parameters with 
the following: 

cat /etc/default/login 

Pay attention to the CONSOLE, PASSREO and UMASK vari- 
ables. The CONSOLE and PASSREO variables must be 
uncommented. UMASK should be set to 022 or 025. 

Next, display the password, the shadow and 
the group files with the following: 

cat /etc/passwd 
#cat /etc/shadow 
cat /etc/group 

Make sure that /dev/null is the shell for all 
non-root users in /etc/passwd. See if you have 
NP - no password entry for all system accounts in 
/ etc/ shadow. 

Network controls 

The network can be a source of many security 
concerns. You can do some simple checks to help 
ensure you're properly configured. First, display 
trusted hosts and users: 

cat /etc/hosts. equiv 

No trusted hosts should be allowed. You can delete 
this file. Next, display NFS files and parameters: 

cat /etc/dis/dfstab 

Consult Practical UNIX and Internet Security for 
how to improve NFS security. Now, display the 
message of the day file: 

cat /etc/motd 

This file should contain a warning to unautho- 
rized users stating that they aren't welcome. 
Now, display unauthorized statement at login: 

cat /etc/issue 
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Do the same to this file that you did for /etc 
/ motd. Next, display the network services file: 

cat /etc/inetd.conf 

This file should contain services only used by 
your system. Comment out any unused services. 
Display the system accounts that aren't allowed 
to use FTP to transfer files: 

cat /etc/f tpusers 

This file should contain all system accounts in- 
cluding root. Display network services currently 
active: 

rpcinfo -p 

Make sure that it isn't running any processes that 
aren't needed (e.g., rstatd, rusersd and rexd). 
Now, display the version of sendmail: 

# /usr/ccs/bin/what /usr/lib/sendmai I 

It's always better to have the latest version of 
sendmail installed on your machine. For informa- 
tion about the most recent sendmail implementa- 
tion, visit www.sendmail.org. 

Now, display the network rhost and netrc files 
with the following: 

#find / -name rhosts -Is 
#find / -name .netrc -Is 

These files don't have to exist on the system. To dis- 
able the user's ability to create .rhosts files, edit the 
/etc/pam.conf file (Solaris 2.6 and higher). If you 
can't get rid of these files, make sure that their per- 
missions are 600 and a user in whose home directo- 
ry they are located owns them. Now, display the 
user's profile file permissions for different shells: 

#( ind / -name .prof i te -Is 
#find / -name .login -Is 
#find / -name .cshrc -Is 
#find / -name .kshrc -Is 

The user should be an owner of his profile. These 
files should only be readable by the owner. 

Monitoring and logging 

Logging can provide a wealth of useful security in- 
formation if you set it up correctly. We can do this in 
a few steps. First, display the system events to log: 

cat /etc/syslog conf 



Although this file is installed by default, its 
configuration should be adjusted to specify what 
messages are to be stored in what files or forward- 
ed to another loghost on the local network. 

By default, Solaris doesn't capture syslog events 
sent to LOG_AUTH. This information is very use- 
ful since it contains information on unsuccessful 
login attempts, successful and failed su attempts, 
reboots, and a wealth of other security-related 
information. Consult www.cert.org/security 
-improvement/implementations/i041.08.html for 
detailed syslogd configuration information. Now, 
display accounts that use the su command: 

#cat /var/adm/sulog 

Checking the sulog will tell you if your users 
are trying to become the root by searching for 
passwords. If you see dozens of su attempts from 
a particular user who isn't supposed to have ac- 
cess to the root account, you might want to ask 
him what he's trying to do. 

Display audit events that have been defined: 

cat /etc/securi ty/audi t_control 

This file contains audit control information used 
by auditd. Note that the functionality of this file is 
available only if the Basic Security Module (BSM) 
has been enabled. 

Display the following if the logging cron is 
enabled: 

cat /etc/def ault/cron 

The CRONLOG variable should be set to YES. Now, 
check for all failed login attempts with this: 

cat /var/adm/ log i n log 

After five unsuccessful login attempts, all the 
attempts are logged in the /var/adm /loginlog 
file. By default this file doesn't exist, so no logging 
is done. To enable logging, create the /var/adm 
/loginlog file. Change permissions to 600. The 
owner of this file must be root. The group must be 
set to sys. 

File and directory permissions 

Files and directories can pose many security is- 
sues. Permissions need to be set to reflect your 
current permission policies to minimize the 
chances of system damage. First, display file per- 
missions in the root directory: 

Is -la / 
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Look for any unusual files in the root direc- 
tory. Now, display file permissions in the /etc 
directory: 

Is -la /etc 

All the files in / etc should be kept unwritable by 
users other than root. Display file permissions in 
the / etc/ default directory: 

Is -la /etc/default 

No files with write permissions are allowed in 
this directory. Now, display file permissions over 
system log files: 

Is -la /var/adm 

All files in this directory must be owned by sys- 
tem accounts (not actual human accounts) and 
not have world write permissions. Next, display 
file permissions for the scheduled files in the root 
crontab: 

Is -I /var/spool/cron/crontabs/root 

This file must have 400 permissions and be 
owned by root only. Display file permissions for 
the cron log file: 

Is -I /var/cron/log 

This file must have 600 permissions and must be 
owned by root. Display files owned by non-exis- 
tent users or groups: 

# find / \( -nouser -o -nogroup \) -Is 

Delete these files or change the ownership for 
existing users and groups. Now, display SUID 
and SGID files owned by root: 

# find / -user root \( -perm -4000 -o -perm 
*»-2000 \) -Is 

If s a good idea to run this command soon after 
the system has been set up. Send the output to a 
file, and keep it for making comparisons later: 

# find / -user root \( -perm -4000 -o -perm 
^-2000 \) > files. check 

Then once in a while run the following command: 

# find / -user root \( -perm -4000 -o -perm 
^-000 \) I diff - files. check 



One of the ways to grant users the root privi- 
leges to do a specific job is by using the sudo ap- 
plication found at http://smc.vnet.net/. Now, 
display world-writeable files: 

• find / -type f -perm -2 -Is 

Most systems don't have any reason to have 
files that are writeable by anyone. Next, display 
world-writeable directories: 

• find / -type d -perm -2 -Is 

Review the output. You don't need it set for direc- 
tories such as / etc, /var, /dev, /devices etc. 

Other areas 

You can find out the last time your system was re- 
booted with the following command: 

last reboot /var/adm/wtmp 

If you have accounts with a restricted shell, check 
to see if they're set up properly. The vanilla re- 
stricted shell rksh is breakable. To check whether 
restricted shell accounts are set up correctly, do 
the following: 

• From the restricted shell account, start the vi 
editor. 

• Inside of vi, set the following variable: 

set she I t=/bi n/sh 

• Type : s he 1 1 . When you get a shell prompt, try 
cd /. If you succeed, your restricted shell 
account should be configured properly. 

For how to configure a restricted shell account, 
refer to Practical UNIX and Internet Security. 

Ifs always a good idea to check to see which 
kernel modules are loaded. Programs such as TTY 
Watcher, which can capture all users' keystrokes 
need to be loaded into the kernel. Make sure that 
no foreign modules are loaded. You can check 
which kernel modules are loaded by typing the 
following command: 

modinfo 

Conclusion 

By using the operating system's commands, you 
can quickly check the security on your Solaris ma- 
chine. You don't have to install and configure 
fancy security checking applications. 
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The security checklist provided in the article 
doesn't intend to be unique or complete. You can 
expand it with whatever your specific security 
needs may be. Consider your environment when 



looking at security. Your approach to a machine 
that is available on the Internet will be much dif- 
ferent than a box located behind a firewall with a 
non-routable address. tK- 



Using truss to track processes 



by Shriman Gurung 

If a process tries to use a file and fails, for 
whatever reason, you can use the truss com- 
mand to get to the bottom of the problem. Use 
truss to trace the system calls and file accesses 
that a process makes. You'll find that truss is ideal 
for solving problems involving missing files and 
permissions. 

Let's illustrate with an example. On our sys- 
tem, the file / tmp / foo doesn't exist. If we try to 
list it, we get the following familiar error: 

$ Is /tmp/foo 

/tmp/foo: No such file or directory 

Now lef s peek under the hood with truss. We 
simply call truss along with the name of the pro- 
gram we want to look at and any arguments that 
the program normally takes. You'll see that truss 
returns a lot of information, so for clarity we'll 
only show the most relevant lines of output: 

S truss Is /tmp/foo 

execve("/usr/bin/ls",0xFFBEB4,0xFFBEC0) argc=2 



lstat64( "/tmp/foo", 0XFFBEFA58) Err#2 ENOENT 



Solaris uses the execve system call to start the Is 
program. Then it attempts to retrieve information 
about the /tmp/foo file using the L s t a 1 64 system 
call. This fails with return code ENOENT; that is, the 
file doesn't exist. ENOENT is a standard Solaris error 
code; for a complete list, see the header file 
/usr/ include/ sys/ errno.h. 

Saving truss' output to a file 

Let's try another example. In Solaris, only root 
may read the /etc /shadow file, since it holds en- 
crypted passwords for all accounts on the system. 
Let's try reading it as a non-root user: 



$ truss cat /etc/shadow 2> /tmp/truss.out 
$ more /tmp/truss.out 



This time we redirect the output of truss to a 
file to make it easier to read. Truss sends its out- 
put to standard error in order not to conflict with 
the normal behavior of your program, which it as- 
sumes will send its results to the standard output. 

Looking at the output from truss, we see a line 
like this: 

openG4( "/etc/ shadow", 0_RD0NLY) Err#13 EACCES 

What does this mean? Truss is telling us that So- 
laris tried to open the file, but failed because the 
calling process didn't have sufficient permission 
to access the file. 

Using truss on a running process 

Sometimes it's not appropriate to start a new 
process with truss. For example, if you wanted to 
track down a problem with your mail server, you 
might not have the luxury of being able to shut 
down the existing process and start it up again 
with truss. 

The -p option for truss allows it to monitor a 
running process. Use ps to find the process ID of 
the program that you're interested in, and then 
pass this number to truss. For example, let's say 
we want to monitor sendmail. Sendmail runs as 
root, so we must run truss as the root user: 

# ps -e ! egrep sendmai I 
1776 ? 0:00 sendmail 

The process ID of sendmail is 1776, so we pass 
that to truss: 

# truss -p 1776 2> /tmp/truss.out 8 

# tai I -f /tmp/truss.out 
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poll(0xFFBEDF7O. 1,60000) 



[sleeping. . 



This time, we've chosen to run truss in the 
background by using the suffix &. This allows us 
to continue working while it collects information. 
We can also use the tail utility to watch the output 



file as truss adds to it. Notice how truss reports 
the process as sleeping when sendmail is waiting 
for work to do. 

Summary 

Take a few minutes to play around with truss. Re- 
member that truss is a general-purpose, process- 
tracking utility. Whenever you want to know what 
your process is doing, truss is the tool to use. ^ 
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by Don Kuenz 

In the last two months we brought you the ar- 
ticles "Creating a News server" and "News- 
bot cleans up." In these articles, we showed 
you how to configure a full-blown news setup. 
But what if you just want to automate the pulls of 
a few newsgroups without all the complications 
of a dedicated news server? If you'd like to set up 
some news service capabilities, you can use a free 
package named suck to pull small amounts of 
news from an ordinary dialup Internet connection 
into a local news server. You don't need a peering 
arrangement with your upstream news server, be- 
cause suck uses the same protocol used by news- 
readers. Besides pulling news, you can also post 
articles to your upstream news server. 

In this article, we'll show you how to install 
and use the package. You should only use it to 
feed roughly a dozen non-binary news groups. 
Many news administrators consider it abusive to 
use this software to pull thousands of groups con- 
taining megabytes of data. 

Installing the software 

You should find it fairly easy to install the soft- 
ware. Suck's authors distribute the package as C 
source. Note that you must compile it before you 
can install it. Download a free C compiler and a 
make tool from www.sunfreeware.com. You can 
obtain suck's source code in an archive file avail- 
able at ftp://sunsite.unc.edu/pub/Linux/system 
/news/transport. 

After you obtain the archive, extract the source 
and change to the directory that it creates. Next, 
compile and install suck using the following 
commands: 

./configure 
gmake 

gmake install 



These commands create binaries that use a 
traditional, flat-file, news-spool structure. The 
README distributed with the source explains 
how to use other spool structures. The default 
configuration installs the binaries into the / usr 
/local directory. The README also explains how 
to install the binaries into a different directory. 
Depending upon your host's security, you may 
need to run gmake install as root. 

The installation procedure installs the binaries 
shown in Table A. It also installs the associated 
man pages. After you install the binaries and man 
pages, you can configure your host. 

Configuring your host 

Configuring your host to pull news involves cre- 
ating several data files and modifying a script 
named get.news.inn. You can find samples of 
both under the samples directory in the source 
distribution. In our example, we place the 
data files under a directory named /usr /local/ 
news/ db. 

At a minimum, you need to create two files 
named active-ignore and sucknewsrc. You put the 
names of local newsgroups that you don't want to 
pull into the active-ignore file. You can use wild- 
mat characters to specify ranges of groups. Our 
active-ignore file contains the following lines: 

control 
control .* 
junk 
local.* 

The sucknewsrc file contains newsgroup names 
followed by the last article number pulled. You 
can initialize this file by adding one line for each 
newsgroup that you want to pull. The line con- 
tains the name of the newsgroup followed by a 1. 
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Table A: Binary filenames and their functions 



Binary name 


Function 


lmove 


Takes articles in a single directory and puts them 
into a directory tree based upon newsgroups 


Ipost 


Reads news data from stdin and posts it to the local 
server 


rpost 


Posts local articles to your upstream news server 


suck 


Pulls a small newsfeed from your upstream news 
server 


testhost 


Tests the status (up or down) of a news server 



When you pull news for the first time, the software assumes that it 
needs to pull all articles with an article number greater than 1. Our ini- 
tial sucknewsrc file contains the following lines: 

comp. unix. Solaris 1 
alt. Solaris. x86 1 

You also need to configure a shell script that pulls and posts news ar- 
ticles from your upstream news server. Our script uses at least one argu- 
ment — the host name of the upstream news server. You can include 
additional arguments to specify a username and password if your up- 
stream news server requires authentication. 

Due to space limitations, we have made our get.news.inn file avail- 
able for downloading at our FTP site. Let's cover some of the finer 
points of this sample script. A variable named REM0TE_H0ST holds all of 
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the arguments entered when you invoke the script. At 
a minimum, this includes the host name of your up- 
stream news server. It also may hold a username fol- 
lowed by a password, if your news server requires 
authentication. The next few lines in the script set 
variables to the directories used by our local news 
server. They reflect a default installation of INN. 

The script starts invoking binary programs about 
one third of the way down. First it checks to see if a 
pull job is already running by looking for a lock file. 
When it finds a lock file it aborts; otherwise, it creates 
a lock file and continues. Next, it makes sure that it 
can talk to both the local news server and the up- 
stream news server. If everything connects, it then 
pulls articles from your upstream news server. Next, it 
posts any articles originating from your local news 
server to the upstream server. Finally, it removes the 
lock file. After you finish tailoring the get.news.inn 



script to your own host, you can start pulling and 
posting news. 

Pulling and posting news 

You need to find out one more piece of information be- 
fore you actually start pulling and posting news. Does 
your upstream news server authenticate users by ask- 
ing for a username and password? Many news servers 
now authenticate users to make sure that no one abus- 
es the server. 

If your server requires authentication, use the fol- 
lowing command: 

get.news.inn news.isp.net \ 
-U username -P password 

On the other hand, if your news server doesn't require 
authentication use this command: 



Listing A: Results displayed from a successful news pull get ' news ' ' nn news ■ ' S P ■ net 



Attempting to connect to news. upstream. net 
Using Port 119 

Ofticial host name: news.upstream.net 
Address: 192.168.1.1 
Connected to news.upstream.net 

200 News Service Ready (Typhoon ¥1.2.2) Posting Allowed 

Loading active iile from localhost 

Reading current sucknewsrc 

comp. unix. Solaris - 1 articles 228115-228115 

alt. Solaris. x86 - 1 articles 112645-112645 

Adding new groups from local active file to sucknewsrc 

Elapsed Time ■ 0 mins 1.78 seconds 

2 Articles to download 

Deduping Elapsed Time = 0 mins 0.00 seconds 

Oeduped. 2 items remaining, 0 dupes removed. 

Processing History File Elapsed Time = 0 mins 2.22 seconds 

Processed history, 0 dupes removed 

Total articles to download: 2 

3918 Bytes received in 0 mins 1.05 sees, BPS = 3724.2 
Closed connection to news.upstream.net 
Posting Messages to localhost 
2 Messages Posted 

Elapsed Time = 0 mins 0.27 seconds 
Cleaning up after myself 
Downloaded Articles 



Listing A shows the results displayed by our get 
.news.inn script during a successful news pull. You 
can see that we pulled in one article from comp.unix 
.Solaris and another article from alt.solaris.x86. Look 
for additional messages when you post articles to your 
upstream news server. 

Filtering your news 

A few people abuse usenet by posting inappropriate 
articles, such as spam and off-topic messages. Running 
your own news server gives you access to industrial- 
strength news filters, which enable you to kill unwant- 
ed articles. Suck includes its own filtering functionality, 
which becomes particularly useful if your ISP bills by 
minutes connected or bytes downloaded. 

Suck enables filtering when it finds a file with a de- 
fault name of suckkillfile. In our example, suck looks 
for suckkillfile in the / user /local/ news /db directory. 
Many times, abusers post a single news article to mul- 
tiple, unrelated news groups. You can tell suck to kill 
all news articles cross posted to four or more news- 
groups by placing a line similar to the following in the 
suckkillfile: 

NRGRPS=4 ^ 
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